Verizon cell customers last to know when their data pinched

Verizon has assured the FCC that the FBI and Secret Service will be the first …

In case you Verizon customers ever wonder what will happen if the company discovers
that your cell phone data has been stolen, the wireless giant recently filed
a summary of its procedures with the Federal Communications Commission. Here
is the rundown:

First, Verizon will contact not you, but the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI). These two agencies will be notified "as soon as practicable," but no more than seven days after Verizon figures out that the theft took place.

During this first week, no one at Verizon will tell you that there's been a problem with your "Customer Proprietary Network Information" (CPNI), as it is called. We're talking about data on who you called; how long you spoke—that sort of thing. You will only be told in cases of "urgent need" that might cause "irreparable harm." But even in these instances, left up to Verizon to determine, the disclosure will take place only after Verizon discusses the case with the FBI or USSS.

Next, the FBI and/or USSS will consider your situation. "If the relevant investigating agency directs VZT [Verizon Telecom] in writing not to disclose to or notify customers or the public of a CPNI breach because such disclosure or notice would impede or compromise an ongoing or potential criminal investigation or national security," Verizon explains, "VZT will further delay notifying or disclosing the CPNI breach to customers and the public."

Finally, after the "required periods of delay" have taken place, which could be indefinite, you will get the bad news that someone fooled or hacked Verizon into disclosing your records. Verizon's summary does not say whether you will be told that the company also notified the FBI/USSS of the theft, or the extent to which these two law enforcement agencies looked at your stolen data themselves. It does say that Verizon will keep records of these breaches for at least two years.

Getting to "the target"

Verizon's assurances to the FCC are contained in its certification of compliance with the agency's new rules to guard against so-called "pretexters"—con artists who specialize in tricking phone companies into disclosing private records, or have an inside track at the company, then sell the info to data brokers. They, in turn, brazenly sold it on Web sites like LocateCell and DataFind.org—that is until law enforcement shut both of these companies down. Eventually the FCC hit LocateCell with a fine just shy of $100,000.

While taking action against data brokers, the Commission ran a proceeding requested by the Electronic Privacy Information Center on how to toughen up its CPNI protection requirements. During the course of that comment cycle, the Department of Justice, the FBI, and the Department of Homeland Security repeatedly asked the FCC to include rules that delay letting customers know if the security of their records has been violated.

"We also strongly support the right of consumers to be notified in the event of breaches of personal data, including CPNI," then Deputy Attorney General Paul J. McNulty wrote to the FCC in late December of 2006. "However, immediate consumer notification of a breach may tip off the person(s) responsible, causing them, among other things, to destroy evidence, change their behavior, and accelerate their illegal use of any data before consumers or company victims can act. These concerns are particularly acute in cases involving access to electronically-stored records where the electronic evidentiary trail is often short lived and easily compromised by the target." McNulty also asked the FCC to require carriers to retain the breach record for a minimum of two years.

Who needs to know the most?

In April of last year, the agency issued a new set of rules that granted the DOJ's wish. In addition, they prohibit telcos from releasing CPNI to a customer who calls in, unless the customer provides a password. Phone services must tell a customer when their password changes. Carriers must also obtain "explicit consent" from consumers before sharing CPNI with business partners or independent contractors (although as Ars has reported, Verizon has been stretching that restriction to its limit). And finally, carriers must submit an annual statement certifying compliance with the new rules, as Verizon has done.

The FCC's press release announcing its Order did not mention the law enforcement data sharing requirement. But FCC Chair Kevin Martin touched on it in his press statement. "Today’s action also ensures that law enforcement will have necessary tools to investigate and enforce illegal access to customer records," Martin said.

On the other hand, Commissioner Michael Copps dissented on the decision in part—the FBI/USSS disclosure part—calling the new rule "akin to not telling victims of a burglary that their home has been broken into because law enforcement needs to continue dusting for fingerprints."

"If an unauthorized individual has gained access to personal telephone records involving victims of stalking or spousal violence," Copps warned, "it won’t be the carrier or the law enforcement agency—but the victims—who are in the best position to know when and how harm may be heading toward them."

Further reading:

Matthew Lasar / Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz.